While strolling in a busy crowded street, you notice someone walking down with sun glasses who looks like any other unsuspicious pedestrian. But the glasses equipped with a hidden miniature camera, high speed wi-fi connectivity, and facial recognition software, this gentleman, actually a cop, is patrolling, trying to identify suspects and potential criminals among the crowd in a jiffy based on the online search query for ‘digital faces’ made by the software on publicly accessible social networking sites. Besides, technology is also available to take your picture by the wearer of such glasses, not by any NFC enabled hand-held device but at the wink of an eye. Anyone on the public space expects lesser degree of privacy by default, but one still has reasonable expectation not to be identifiable, and to be free of being profiled and intruded into ones’ privacy. What if, due to a bug in facial recognition software, an innocent like you is identified and held as a suspect to undergo all the agony before being proven otherwise!

You avail vehicle health diagnostics service from device manufacturers of ‘connected cars’ using telematics, and find a sudden spike in your car insurance premium. Increasingly being adopted by consumers, this facility remotely monitors vehicle speed, driving route destination, duration of driving, time of driving, car speed, acceleration, and other driving characteristics and could be used for getting timely alerts about when to replace a tyre to impending engine failure. But it is also being used for availing what is termed ‘user based insurance programs’, whereby consumers get benefited with lower insurance premium when their driving behavior is tilted towards ‘safe driving habits’, and vice versa. As long as this is done at your will, it may be fine, but instances have been reported of insurers increasing premium without consumers’ consent. Moreover, in the absence of data protection measures, the data may be used by stalkers and marketing organizations, and the impact of this needs no elaboration!

In March 2016, FTC (Federal Trade corporation), the body that regulates privacy in the e-commerce industry in the US, warned app developers who used in their apps, a software that helps monitor television viewing habits of consumers by activating microphone in smartphones without their knowledge. The microphone, when the software is deployed, can detect audio beacons contained in and emitted by television programs or advertisements from TVs in the vicinity of the smartphone, thereby enabling third parties to develop TV viewing habits of its consumers and subsequently using that for targeted advertisements. Targeted advertisements in television which is a multi-user device can lead to disclosure of viewing habits of one user to others, which impacts ones’ privacy.

There are plethora of such examples of privacy being violated by unscrupulous use of technology. These are not hypothetical possibilities but real threats on privacy as a result of unprecedented development & innovation in mobile communication technologies, internet of things, big data, coupled with reducing hardware costs. It is also a reality that innovation will continue to outpace regulatory changes triggered from increasing concerns on citizens’ privacy.

Do we still buy the “nothing to hide” argument skeptics often use against privacy? As we saw in the above examples, the argument does not hold good anymore. In any developed society which cares for human rights, an individual often has his own private circles – family, friends, colleagues, relatives, social groups and given that the information he shares within each of these circles may defer, he will have reasonable expectation of privacy that any information shared between these groups will have to be only with his consent. There is also a lot of information an individual may not like to share with any one at all – not even with parents, spouse or close friends - developed societies recognizes this as a fundamental right to freedom of thought and experimentation that helps an individual to grow intellectually, discern right from wrong and develop his own set of values, obviously within the legal boundaries.

What than is the right thing to do? Should the industry shun innovation or should we consider privacy as a lost cause? The answer is neither extreme positions. Most of the innovations on business processes that leverage technology immensely benefit citizens, consumers and the community at large, and need to continue, but since depending on the use cases they also have the potential to introduce newer privacy risks, it is important to ensure that the industry deploys appropriate data protection measures based on privacy risk assessment, before taking solution to market. Some of the key considerations for the digital industry, apart from adhering to the usual data privacy principles, are elaborated below.

Consent not a solution: Conventional approach of taking consent on a privacy notice is no longer sufficient, although necessary where possible, given that personal data is often collected indirectly and without any opportunity for a transaction or agreement between the data subject and the organization, as we saw in the above examples. Even when data is collected directly, privacy notices are often cumbersome to read, let alone understand, thereby making it difficult for a user to exercise ‘fair’ choice. Hence, organizations must take accountability to ensure data privacy rather than using consent as an alternative or workaround.

No Secondary use of data: Personal data collected for one purpose should not be used for another, without individuals consent. It is tempting to go for a privacy notice which is drafted in a manner that covers and allows much broader usage of data by organization, but such notices are not considered appropriate, and sometimes treated illegal due to the ambiguity they introduce and inability for the individual to decide the right choice.

Privacy by Design (PbD): During design of a solution or equipment, data privacy aspects must be embedded. Data minimization, de-identification, data obfuscation, and differential privacy are some of the examples of privacy features that could be implemented. There is ever increasing importance being given to PbD, and the recently enacted GDPR (General Data Protection Regulation) of European Union has also made it a mandatory requirement for organizations handling personal data of EU citizens, regardless of wherever in the world such organizations are located.

Monitoring & Surveillance to be minimum: As the saying goes, amount of surveillance required must be like salt in food – essential in small amounts but anything more can have undesirable consequences. Apart from providing notice and obtaining choice, it must be done in least intrusive manner, and the data must not be analyzed for any purpose other than the original objectives. Sufficient controls must be deployed to ensure that the monitoring & investigating team resists temptation to capture or disclose any findings, even if sensational, but unconnected with the objective of surveillance. Similarly, layered approach of investigation must be adopted to establish whether a suspect is an offender, so that in the event of false positive originating from limitations of deployed software, the victim is least inconvenienced.

Transparency: Being open to consumers or employees about data privacy practices helps build trust among data providers and is likely to enhance repeat business for organizations in the long run. Data Privacy is about giving choice and freedom to data providers on how they would like their data to be treated, and the first step towards this is being fair and honest in terms of communicating processing practices so that individual takes informed decision.

Cultural differences to be recognized: A particular personal data, or a processing operation may be sensitive for some, while another individual may consider it absolutely normal, depending on cultural, demographic and economic aspects. There are individuals who don’t mind to get freebies by parting with their personal information, upload personal photos into cloud when space is offered for free. While there are others who would expect explicit opt-in approach for any data processing operation. Both are right in their view and it is for business to appreciate and discern such groups & circumstances and accordingly deploy privacy measures.

To conclude, whether we like it or not, innovation will continue to happen and instead of expecting laws to regulate innovation, we should have an omnibus data privacy regulation which makes organizations accountable & responsible for privacy compliance and for speedy redress for consumers’ grievances in the event of a breach. Since regulations are often not helpful on prescriptive guidance, these have to be supplemented with sector specific ‘standards’ or ‘code of practice’ to help specific industry sectors in maintaining balance between innovation and privacy. Once developed, achieving certifications against such standards would give consumers the confidence on privacy assurance and sellers, the business advantage.

DISCLAIMER: The views expressed are solely of the author and ETCISO.in does not necessarily subscribe to it. ETCISO.in shall not be responsible for any damage caused to any person/organisation directly or indirectly.

This Website Uses Cookies

We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you've provided to them or that they've collected from your use of their services. Give your consent to our cookies for: